Growing an IAM Team

IAM OnlineWednesday, February 10, 2021

Presenters:

Christopher Bongaarts, University of MinnesotaKT Cragg, University of MinnesotaBernard Gulachek, University of MinnesotaKevin Morooney, Internet2, Moderator

1

Growing an IAM Team

KT Cragg - Christopher Bongaarts - Bernard Gulachek

University of MinnesotaOffice of Information TechnologyIdentity and Access Management

February 10, 2021

2

Overview

3

Origination

4

Origination - 1992● Trigger - need for consolidated student/staff data; mainframe not

agile enough to supply● Grew out of central (academic) computing group in early 90's● Supported central campus-wide email project (1992) and ID card

(1993)○ LDAP to support email address lookup○ ID Card needed unification of staff and student data

● ~4-8 people with a hand in it, mostly sysadmins○ "Identity" functions one of many services

● Survived as a unit until manager (Frank Grewe) passed away suddenly in 2004

5

Fission

6

Fission - 2008● Trigger - without Frank, group lacked strong leader to protect us● Hung on for a few years, but were eventually split up in 2008

○ Identity group got 2 of the 8 people, hired a third in 2009● Despite onboarding struggles, stood up Shib and Grouper

services● Culture clash with new manager

○ Developers vs Sysadmins○ Cowboys vs process

7

Expansion

8

Expansion - 2012● Trigger - OIM, Peoplesoft upgrade (ESUP) projects and new focus on

IDM● Matrix model ("plaid management")

○ 1 service owner, 2 devs/pseudo-BAs● OIM project started 2009

○ ESUP, consultant debacle delayed real start to 2016● Got our first "real" business analyst in 2014

○ First attempts at agile (simplified Scrum)● 2 ESUP developers folded into IAM team in 2014● Applications Development organizational woes

○ IDM grew to 8 people managed by 7 managers○ Between 2012 and 2018 I had 10 different managers.

9

Consolidation

10

Consolidation - 2018● Trigger - communications/consistency issues from multiple managers● Consolidated all IDM staff under one line manager

○ consistent leadership, messaging, direction○ Change agent - took ownership, was able to push process change

● Security event - nice crisis to leverage change, add additional BA/PM● Governance with BPOs

○ Less reliance on developers to guess the Right Thing to Do● Kanban - legacy identity system project, first big all team effort● Scrum - full Agile implementation - Service owner also as product

owner

11

Fission, Again

12

Fission, Again - 2020

● Trigger- hiring more people till single agile team was Too Big● Split into two teams

○ Identity Management - OIM (person registry)○ Access Management - Shib, Grouper, LDAP, RADIUS, etc.

● Back to Forming stage in Tuckman's model (more later)

13

A place of our own

14

A place of our own - Fall 2020● Trigger - higher management support, AppDev Sr. Director

retirement● New IAM directorate separate from Applications Development● Adopting Scaled Agile Framework (SAFe) ● Transition into staffing pros:

○ Dedicated communications/change manager, dedicated QA analyst○ Diverse skill set and demographics

● Added AD team under IAM○ possible now due to IAM directorate and successful agile implementation

15

Workflow Changes

16

Workflow changes● What works for three people and what works for 5, 10, 15, doesn’t

scale○ “Just ask Kevin and he will do it"○ Get lots done quickly, but no background documentation to reference later

● Oral tradition to Agile to get work done transparently ○ Got us out of operational response mode○ Started setting priorities over a period of time (roadmapping). ○ From every two weeks to quarterly○ Balance ops work with project work

17

An Agile Approach

18

What is Agile?

● In product development, agile practices approach discovering requirements and developing solutions through the collaborative effort of self-organizing and cross-functional teams and their customer/end user.

● Leveraging Agile values ■ Individuals and Interactions over Processes and Tools■ Working Systems, over documentation■ Customer coordination, vs contract negotiation■ Responding to Change, over following a plan

19

Agile - Our Kanban Journey

● Kanban - a quick approach for coordinating work○ Kanban: is a lean method to manage and improve work

across human systems. This approach aims to manage work by balancing demands with available capacity, and by improving the handling of system-level bottlenecks.

○ Work in/Work out

20

Agile - Our Scrum Journey ● Scrum: is an agile framework for developing, delivering, and

sustaining complex products, with an initial emphasis on software development, although it has been used in other fields including research, sales, marketing and advanced technologies.

● Scrum Events - Daily Stand up, Demo, Retrospective and Iteration Planning○ Roles: Product Owner, Scrum Master, Product Team○ Jira as source of truth for all non-ops work

21

Tuckman’s Model for Team Development

22

Team Formation - Tools and Techniques● SWOT analysis - strengths, weaknesses, opportunities and

threats● Affinity Mapping - id-ing priorities and timing● Two Day Team Building Working Sessions

○ Included stakeholders, scrum masters, product owners and development team members

○ Why are we doing this?○ What do we need from each other to be successful?○ Creation of Team Charter - our purpose

23

Team Formation - Tools and Techniques

Values AntiValues

Curious to learn new things Spin and starting things we never finish

Diverse knowledge and expertise Single points of failure and complex knowledge shares

Customer focus and network beyond AppDev Don’t say no, technical debt, too much networking

Teamwork and collaboration Too many cooks, consensus building and group think

Transparency Security and time required

Dedication Burnout

Integrity Boil the ocean and lack of compromise

24

Team Formation - Tools and TechniquesWorking Agreements:1. Being physically present (zoom counts) at meetings is a priority

a. If you can’t make it to daily scrum, send your update to the IDM Team hipchat room prior to 9:45 the morning of.

2. Update the Jira board in real time3. Make sure your team & calendar is up to date with upcoming vacations and days off

(especially over the summer months) prior to sprint planning for capacity planning. 4. Don’t jump right into solutions5. Just because you can, doesn’t mean you should - consult with team first6. Prioritize documentation more 7. Don’t bring everyone to every meeting, but recap priorities/decisions with team via

email or slack.

25

SAFe - How we organize todayThe Scaled Agile Framework is a set of organization and workflow patterns intended to guide enterprises in scaling lean and agile practices. Involves coordinating work on a quarterly basis across IT teams.

● Benefits○ Common vocabulary for discussing team formation stages/challenges○ Work transparency and cross functional teams○ Leadership involvement and support○ Smooth transition to Covid 19 work from home life

● Challenges○ Change is hard○ DevOps team that does more than develop, code, test, release = doesn’t fit traditional

Scrum team model, we still have specialists○ Might be more structure than we may end up needing

26

IAM Team Make Up - Leadership/Team Leads/Architects

Business Owner/Senior DirectorSenior Product Manager/Service OwnerRelease Train Engineer/CommunicatorSenior ManagerSystem ArchitectsSecurity AnalystTier 3 Support

27

IAM Team Make Up - Team LevelAccess Team6 applications

● Product Owner● Full Stack

Developers, 2● Infrastructure

Ops● Developer● Business

Systems Analyst

Identity Team2 applications

● Product Owner● Business

Analyst/Scrum Master

● Developer, 2● Quality Assurance

Analyst● Infrastructure Ops

Active Directory 1 application

● Product Owner (shared with Access)

● Developer, 2

28

IAM Secure Programz.umn.edu/iamsecure

29

Governance Structure - the Lifecycle Committee

TechnologyBusiness

Process/Policy

Technology/Staffing

Business Process/Policy

Senior Leadership

Middle-Management

Executive Leadership

Identity Management Service Program Team

Identity and Access Management Lifecycle Committee

Identity and Access Management Executive Oversight Committee

Identity and Access Management Leadership Steering Team*

30

Access Management

Identity Management: Account Lifecycle Transformation

IAM Program: High-Level Timeline FY 2020 FY 2021 FY 2022 FY 2023 FY 2024

Group Based Access Controls

Access Deprovisioning

Align Identity Technologies

New and Improved Identity StoreModernize Account Types

Cloud Access Management

31

SAFe - Impacts to UMN business ○ Increased Productivity

■ New users can lose productivity and time as they wait for accounts to be created. Delays in the ability to access resources often result when manual, workflows, and approvals cannot be streamlined.

○ Enhanced Security■ The inability to streamline the deprovisioning of users or manage user

access privileges to applications and resources exposes the University to the risk of unauthorized access and audit compliance issues.

○ Improved Sharing Ability for Information Across Applications■ Applications are unable to share information that should be shared, such as

contact information, files, and common data for calendars and other frequently-used functions.

32

SAFe Implementation - a CIO’s perspective

33

Questions?

34

Thank you!

KT Craggcrag0006@umn.edu

Christopher Bongaartscab@umn.edu

Bernie Gulachekbernard@umn.edu

35